Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
Richard Barnes <rlb@ipv.sx> Thu, 20 June 2013 18:39 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6E4B21F9F35 for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 11:39:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.024
X-Spam-Level:
X-Spam-Status: No, score=-0.024 tagged_above=-999 required=5 tests=[AWL=-0.199, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hb8NNXrU7LzI for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 11:39:04 -0700 (PDT)
Received: from mail-oa0-x234.google.com (mail-oa0-x234.google.com [IPv6:2607:f8b0:4003:c02::234]) by ietfa.amsl.com (Postfix) with ESMTP id 4270221F9EBC for <jose@ietf.org>; Thu, 20 Jun 2013 11:39:02 -0700 (PDT)
Received: by mail-oa0-f52.google.com with SMTP id g12so8188716oah.39 for <jose@ietf.org>; Thu, 20 Jun 2013 11:39:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=ubd5qb45cgjQ9jYgdQRtDTjshuDcJjwfa/E17KWtLMQ=; b=NAOG6UB7fdJn1LBc6yyVHTQH8O6V2EZ4crtVLI344YnPcOf4H6Z0Vyls5INfQFWCMU kwQ1HXfQgswPDjfcg7FjPDOcMhJK8joSjRWd+6f19kTjMGu8BCdjTkNqVYR3OGbs+p6d S1N7yE6tr1ADefmpjjeggYkN8OF7nB++O7SAoMB4vPHYPabN18b+1e7Y7jtvIGBm80FF S8YD88RFDO+Iat9wrwAAhnUKuiYxDzUNXVBbgvmWPGheBC7DIyu/p70VmQl79z1R4+W7 9DQHcS90FethS6RNy/TM3WAcDTSMugi9s1S5LItU/VjkHcGHMU36Dmh+vTH8KNNcE942 y0Qw==
MIME-Version: 1.0
X-Received: by 10.182.237.77 with SMTP id va13mr2126786obc.65.1371753541771; Thu, 20 Jun 2013 11:39:01 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Thu, 20 Jun 2013 11:39:01 -0700 (PDT)
X-Originating-IP: [192.1.51.101]
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943678798E6@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943678735D4@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgQUpbYLatgiaXa8T9oMMi+sA5KxEiocETLTEDXskTtqDQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678794EF@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgSui3q4co4sCRBZCsA_wEgSNUFx8v0jsx+H_2z761VN=Q@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678798E6@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Thu, 20 Jun 2013 14:39:01 -0400
Message-ID: <CAL02cgTf6-kbQmkOxgJX-aSDtLmcNPifPLVVwei9naBuELQ3OA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="e89a8ff1cdcc93b6bc04df9a4280"
X-Gm-Message-State: ALoCoQl/sxvMgaDJfwKN4KSNsvMXeb69fEosy18A1k3kIxYTBwNQwgrEuGgCKA4NFk27SyIjeqoe
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME types?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2013 18:39:09 -0000
What you mean to say is that there are really two algorithms here, depending on the media type: application/jose -> If 3 components, JWS -> If 5 components, JWE application/jose+json -> If 'payloaod', JWS -> If 'ciphertext', JWE On Thu, Jun 20, 2013 at 1:41 PM, Mike Jones <Michael.Jones@microsoft.com>wrote: > I know of no use cases where the application won’t know whether it’s > using the Compact Serialization or the JSON Serialization.**** > > ** ** > > *From:* Richard Barnes [mailto:rlb@ipv.sx] > *Sent:* Thursday, June 20, 2013 9:49 AM > > *To:* Mike Jones > *Cc:* jose@ietf.org > *Subject:* Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME > types?**** > > ** ** > > That algorithm is part of the story, but it's incomplete. What we need is > an algorithm that starts with an arbitrary octet string and sorts by > JWS/JWE and serialization. An outline of the flow chart:**** > > ** ** > > 1. If content parses as valid JSON**** > > 1.*. Parse JSON**** > > 1.1. Iontains a "ciphertext" field -> JWE + JSON**** > > 1.2. Contains a "payload" field -> JWS + JSON**** > > 1.3. Else fail**** > > 2. Else if content matches the regex "^[a-zA-Z0-9_.-]*$"**** > > 2.*. Split on "."**** > > 2.1. If 5 components -> JWE + compact**** > > 2.2. If 3 components -> JWS + compact**** > > 2.3. Else fail**** > > 3. Else fail**** > > ** ** > > There's also the question of which document this goes in. It would be a > natural thing for a combined JWS+JWE document, but we don't have one of > those :(**** > > ** ** > > ** ** > > ** ** > > On Thu, Jun 20, 2013 at 11:19 AM, Mike Jones <Michael.Jones@microsoft.com> > wrote:**** > > There is a defined algorithm to distinguish between the JWS and JWE > objects in the third paragraph of > http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-11#section-4 > .**** > > **** > > -- Mike**** > > **** > > *From:* Richard Barnes [mailto:rlb@ipv.sx] > *Sent:* Thursday, June 20, 2013 8:15 AM > *To:* Mike Jones > *Cc:* jose@ietf.org**** > > > *Subject:* Re: [jose] Should we keep or remove the JOSE JWS and JWE MIME > types?**** > > **** > > Multiplexing JWE and JWS under a single JOSE media type only makes sense > if there's a defined algorithm to demux them. So if you want to do this, > you would need to write down the algorithm.**** > > **** > > Personally, it seems simpler and clearer to me to just have the four > current types, so that you know which type of object you're dealing with, > and in what serialization, without having to do content sniffing.**** > > **** > > On Tue, Jun 18, 2013 at 9:26 PM, Mike Jones <Michael.Jones@microsoft.com> > wrote:**** > > The JWS and JWE documents currently define these MIME types for the > convenience of applications that may want to use them:**** > > application/jws**** > > application/jws+json**** > > application/jwe**** > > application/jwe+json**** > > **** > > That being said, I’m not aware of any uses of these by applications at > present. Thus, I think that makes it fair game to ask whether we want to > keep them or remove them – in which case, if applications ever needed them, > they could define them later.**** > > **** > > Another dimension of this question for JWS and JWE is that it’s not clear > that the four types application/jws, application/jws+json, application/jwe, > and application/jwe+json are even the right ones. It might be more useful > to have generic application/jose and application/jose+json types, which > could hold either JWS or JWE objects respectively using the compact or JSON > serializations (although I’m not advocating adding them at this time).**** > > **** > > Having different JWS versus JWE MIME types apparently did contribute to at > least Dick’s confusion about the purpose of the “typ” field, so deleting > them could help eliminate this possibility of confusion in the future. > Thus, I’m increasingly convinced we should get rid of the JWS and JWE types > and leave it up to applications to define the types they need, when they > need them.**** > > **** > > Do people have use cases for these four MIME types now or should we leave > them to future specs to define, if needed?**** > > **** > > -- Mike*** > * > > **** > > P.S. For completeness, I’ll add that the JWK document also defines these > MIME types:**** > > application/jwk+json**** > > application/jwk-set+json**** > > **** > > There are already clear use cases for these types, so I’m not advocating > deleting them, but wanted to call that out explicitly. For instance, when > retrieving a JWK Set document referenced by a “jku” header parameter, I > believe that the result should use the application/jwk-set+json type. (In > fact, I’ll add this to the specs, unless there are any objections.) > Likewise, draft-miller-jose-jwe-protected-jwk-02 already uses > application/jwk+json. Both could also be as “cty” values when encrypting > JWKs and JWK Sets, in contexts where that that would be useful.**** > > **** > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose**** > > **** > > ** ** >
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- [jose] Should we keep or remove the JOSE JWS and … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Jim Schaad
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Matt Miller (mamille2)
- Re: [jose] Should we keep or remove the JOSE JWS … Justin Richer
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Jim Schaad
- Re: [jose] Should we keep or remove the JOSE JWS … Mike Jones
- Re: [jose] Should we keep or remove the JOSE JWS … Edmund Jay
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … Brian Campbell
- Re: [jose] Should we keep or remove the JOSE JWS … Richard Barnes
- Re: [jose] Should we keep or remove the JOSE JWS … John Bradley
- Re: [jose] Should we keep or remove the JOSE JWS … Manger, James H
- Re: [jose] Should we keep or remove the JOSE JWS … Tony Hansen